R003 Itsybitsy

Learnings

• Windows binary tool - bitsadmin

• File Sharing sites like pastebin[.]com

The room focuses on hunting for potential Command & Control (C2) communication by a machine. We are going to use HTTP connection logs to analyse these C2 patterns. As I am looking for suspicious attributes, the HTTP user-agent caught my eye. There are some events logged with user-agent named "bitsadmin". Bitsadmin is a Windows command line tool to create, download and manage queue jobs. You can learn more about the tool here.

Interestingly, when filtered on this user agent, it is visible that the user visited a site "pastebin.com". Pastebin sites are used for sharing code snippets. A user with malicious intentions can upload or share a malicious code, which when used in normal software may result in behaving abnormally.

With these events, the questions can be answered successfully.

THM Questions

Q1. How many events were returned for the month of March 2022?

1482

Q2. What is the IP associated with the suspected user in the logs?

192.166.65.54

Q3. The user’s machine used a legit windows binary to download a file from the C2 server. What is the name of the binary?

bitsadmin

Q4. The infected machine connected with a famous filesharing site in this period, which also acts as a C2 server used by the malware authors to communicate. What is the name of the filesharing site?

pastebin.com

Q5. What is the full URL of the C2 to which the infected host is connected?

pastebin.com/yTg0Ah6a

Q6. A file was accessed on the filesharing site. What is the name of the file accessed?

secret.txt

Q7. The file contains a secret code with the format THM{_____}.

THM{SECRET__CODE}